No problem. We all have our moments.
Welcome!
Chris Marcellin wrote:
ooops, stupid me, sorry, and thanx
Eric "Shubes" wrote:
You may.
A: Just before the comment:
## Drop outside packets with local addresses - anti-spoofing measure
(That's why I left it in the part I snipped, as reference) Perhaps I
didn't make that very clear.
Chris Marcellin wrote:
may i ask, where would you put that rule in the right place in
firewall.sh?
Eric "Shubes" wrote:
It should work providing you specify the right IP address for your
local network. ;) Make sure that you add the line in the right place
too, before these packets are dropped.
Works for me.
George M. wrote:
Eric;
The reason why I have disabled iptables during installation is
simple, could
not ssh, could not do webmail or client connection from the same
subnet.
Another post has pointed to my network vulnerability if somebody
hacks to
my wireless, so I'm converted. If I use your addition to iptables,
I think
that my internal webmail and client should work as well. Am I
correct ?
(of course I will try as soon as I can).
>
George
Let me start by agreeing with Ron's and Erik's replies. No
disagreement
here. However, let me attempt to be a little more direct to the
question.
First and foremost, the iptables toaster rules not only work
behind, but
are
considerate of a NAT'd router. The only exception I've found to
this is
when
trying to ssh in from a local address. I had to add the following
to the
toaster's firewall.sh in order to be able to run a headless
toaster (ssh
in
from a local address):
# shubes 5/16/06 - accept packets from local net
iptables -A INPUT -s 192.168.???.0/255.255.255.0 -j ACCEPT
#
## Drop outside packets with local addresses - anti-spoofing measure
Other than that, the toaster firewall rules work just fine, and
provide an
additional layer (think onion) of security.
That being said, there may very well be some toaster firewall
rules that
never fire because they're redundant with your router's rules. If
you care
to take the time (and risk), feel free to remove them. The question,
though,
is why? Redundancy is not always a bad thing, especially when it
regards
security, and when there's no noticeable difference in performance.
So, do you *need* the additional firewall on the toaster?
Well, not necessarily, but it won't hurt (with the exception noted
above).
Should you *use* the additional fireall on the toaster?
By all means yes. If you have a reason not to, I'd like to hear of
it.
--
-Eric 'shubes'
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
-Eric 'shubes'
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
